Tenda M3 Stack-Based Buffer Overflow Vulnerability in DHCP AP Configuration

A stack-based buffer overflow vulnerability has been identified in the Tenda M3 router, specifically in the firmware version 1.0.0.13(4903). The issue arises in the 'formSetRemoteDhcpForAp' function within the '/goform/setDhcpAP' endpoint. This vulnerability is caused by inadequate input validation and bounds checking on several parameters, including 'startip', 'endip', 'leasetime', 'gateway', 'dns1', and 'dns2'. The lack of proper sanitization allows for remote exploitation, leading to stack data corruption, control flow hijacking, and potential denial-of-service conditions.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, allowing for memory corruption, control flow manipulation, and denial-of-service conditions on the affected device.

Reproduction

To reproduce this vulnerability, the router must be set to 'ac.workmode=master', which is the default configuration. Once this is confirmed, send a POST request to the '/goform/setDhcpAP' endpoint. Include the 'startip', 'endip', 'leasetime', 'gateway', 'dns1', and 'dns2' parameters in the request. The 'dns2' parameter can be used to deliver a payload that exploits the buffer overflow, such as a string of repeated characters that exceeds the buffer's capacity.